The Year Targeted Phishing Went Mainstream: A story published here on July 12 about a new sextortion-based phishing scheme that invokes a real password used by each recipient has become the most-read piece on KrebsOnSecurity since this site launched in 2009. And with good reason — sex sells (the second most-read piece here was my 2015 scoop about the Ashley Madison hack). KrebsOnSecurity, August 2, 2018

Reddit Breach Highlights Limits of SMS-Based Authentication: Reddit.com today disclosed that a data breach exposed some internal data, as well as email addresses and passwords for some Reddit users. As Web site breaches go, this one doesn’t seem too severe. What’s interesting about the incident is that it showcases once again why relying on mobile text messages (SMS) for two-factor authentication (2FA) can lull companies and end users into a false sense of security. KrebsOnSecurity, August 1, 2018

How to Maximize Your Cybersecurity Investment: One of the most interesting conversation starters for a consultant is when a client tells you, “We want to be as secure as a bank.” Assuming the organization isn’t in the business of providing financial services, a good consultant will always reply with, “Why?” SecurityIntelligence, August 2, 2018

Digital resilience – a step up from cybersecurity: We are living in an increasingly digital world, but many organizations are still unaware of the extent to which they rely on digital technology and the risks that come with it. As we head towards a digitally dependent future, the need for digital resilience has never been greater. CSO, August 1, 2018

Cyber Warning

Salesforce Security Alert: API Error Exposed Marketing Data: Cloud-based customer relationship management software giant Salesforce.com is warning some users of its Marketing Cloud that any data they stored may have been accessed by third parties or inadvertently corrupted because of an API error that ran from June 4 to July 18. BankInfoSecurity, August 3, 2018

Cyber Defense

Organizations challenged to keep up with security patches.: A lot of organizations have patching programs in place today, but that still doesn’t account for the statistics that show us that 99% of successful attacks involve (and will continue to involve) vulnerabilities that have been known to cybersecurity professionals for at least one year. ITSP, August 2, 2018

Cyber Negligence

Credit Card Issuer TCM Bank Leaked Applicant Data for 16 Months: TCM Bank, a company that helps more than 750 small and community U.S. banks issue credit cards to their account holders, said a Web site misconfiguration exposed the names, addresses, dates of birth and Social Security numbers of thousands of people who applied for cards between early March 2017 and mid-July 2018. KrebsOnSecurity, August 3, 2018

The California Consumer Privacy Act and the GDPR: Identifying Operational Overlap: After roughly two years of seemingly non-stop GDPR conversation, the California Consumer Privacy Act of 2018 (CCPA) is the latest new kid on the block in privacy compliance, and with its broad scope reaching beyond the borders of California (the fifth-largest economy in the world) it creates unique challenges for the over 500,000 businesses estimated to be subject to the new law. CPO, July 27, 2018

Why We’re Sharing 3 Million Russian Troll Tweets: When historians try to appraise Russia’s interference in the 2016 election, which historical artifacts will they use? Then-candidate Donald Trump’s speech imploring Russia to find Hillary Clinton’s emails, perhaps. The soccer ball Vladimir Putin gave President Trump at their summit in Helsinki probably merits inclusion. And then there are the tweets — millions of them. FiveThirtyEight, July 31, 2018

Russians Are Targeting Private Election Companies, Too — And States Aren’t Doing Much About It: The American election system is a textbook example of federalism at work. States administer elections, and the federal government doesn’t have much say in how they do it. While this decentralized system has its benefits, it also means that there’s no across-the-board standard for election system cybersecurity practices. This lack of standardization has become all the more apparent over the past two years: Hackers probed 21 state systems during the lead-up to the 2016 election and gained access to one. But the federal government and states don’t appear to have made great strides to ensure that this doesn’t happen again. To do so, they’d need to deal with not only their own cybersecurity deficits but also those of the private companies that help states administer elections. FiveThirtyEight, July 30, 2018

State Govts. Warned of Malware-Laden CD Sent Via Snail Mail from China: Here’s a timely reminder that email isn’t the only vector for phishing attacks: Several U.S. state and local government agencies have reported receiving strange letters via snail mail that include malware-laden compact discs (CDs) apparently sent from China, KrebsOnSecurity has learned. KrebsOnSecurity, July 27, 2018

Categories

Get in touch

About Us

Citadel Information Group is a full service integrated information security management / governance firm. We work either consultatively or as part of a client’s senior management team, assisting our clients cost-effectively manage the confidentiality, privacy, integrity and availability of their information. Learn more.